A critical security flaw has been discovered in Nginx UI that allows unauthenticated threat actors to download and decrypt complete system backups.
Tracked as CVE-2026-27944, this vulnerability carries a maximum critical severity score of 9.8 out of 10.
The flaw exposes highly sensitive data, including user credentials, session tokens, and SSL private keys, putting entire server environments at severe risk of compromise.
Vulnerability Analysis
The vulnerability stems from two major coding errors in the Go-based Nginx UI application, specifically affecting versions before 2.3.2.
First, the application fails to enforce proper authentication on the /api/backup endpoint.
Unlike the system’s restore function, which correctly uses security middleware to block unauthorized access, the backup routing is left completely open to the public internet.
This oversight corresponds to CWE-306, which categorizes the missing authentication for a critical function.
Second, the system suffers from a severe cryptographic failure, tracked as CWE-311 for missing encryption of sensitive data.
While Nginx UI attempts to secure the generated backup archives using AES-256-CBC encryption, it completely defeats this protection by transmitting the decryption keys directly to the requester.
When anyone makes a GET request to the vulnerable endpoint, the server responds with an X-Backup-Security HTTP header.
This header contains the base64-encoded AES-256 key and a 16-byte Initialization Vector (IV) in plain text.
Security researcher 0xJacky recently published a proof-of-concept Python script demonstrating how easily this flaw can be weaponized.
The script targets the base URL, requests the backup without any login credentials, and automatically unzips the downloaded files using the intercepted keys.
Because the exploit relies on standard HTTP requests and basic cryptographic libraries, threat actors can quickly automate attacks at scale.
The extracted backups contain catastrophic system secrets. The system database, user credentials, and configuration secrets are exposed in the nginx-ui.zip archive.
Furthermore, the nginx.zip archive reveals core Nginx configurations, virtual host setups, and complete SSL certificate chains with private keys.
Because this vulnerability requires no user interaction and is trivial to exploit over the network, organizations using Nginx UI must take immediate action.
The lack of authentication means that any automated scanner or malicious bot can easily discover and exploit exposed instances in seconds.
Administrators must urgently apply the following remediation steps to secure their environments:
- Patch Management: Immediately upgrade the Nginx UI to version 2.3.3 to properly secure the backup endpoint.
- Credential Reset: Assume all active user credentials and session tokens have been compromised and rotate them immediately.
- Certificate Rotation: Generate and deploy new SSL/TLS private keys and certificates across all affected servers.
- Network Security: Restrict all Nginx UI administrative interfaces to trusted internal networks and block public internet access.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
